Last updated: February 27th, 2023
- Definition of PI
- Information for Users of PebblePost’s Site
- Information Relating to PI Obtained When Brand Partners Use PDM Services
- How PI Is Secured and Retained
- Your Rights Regarding PI
1. Definition of PI
2. Information for Users of PebblePost’s Site
In the past twelve (12) months, we collected the below categories of PI from you when you used PebblePost’s Site:
– Identifiers (such as your name, email address and physical address)
– Internet or other electronic network activity information (such as cookies and mobile device IDs, and related browsing information)
–Geolocation data (as inferred from IP address)
The source of PI we collect:
We collect PI directly from you when you use our Site. We also collect PI automatically or indirectly from you through logging tools, cookies, pixel tags, and as a result of your use of and access to the Site. We also receive PI from our Brand Partners in connection with the PDM Services.
The business purpose for collecting your PI:
We use such information to contact you regarding our PDM Services, and to remember your preferences on our Site. We may use your PI to: (i) communicate with you about our products and services; (ii) communicate with you via email to provide certain information to access our blogs or to download certain information on the website; (iii) review your job application; (iv) provide you content, including but not limited to newsletters or blog posts; (v) serve other purposes for which we provide specific notice at the time of collection; (vi) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for that activity; (vii) as otherwise authorized or required by applicable law; and (viii) as necessary or appropriate to protect the rights, property, and safety of our users, us, and other third parties.
Categories and purposes of third parties with whom we may share PI:
We share PI with our service providers, who may use your PI to provide us with services, such as printing providers, hosting providers and email service providers; provided, however, such service providers are only authorized by us to use the PI in connection with their performance of services for us.
In addition, we may, in the future, sell or otherwise transfer some or all of our business, operations or assets to a third party, whether by merger, acquisition or otherwise. PI we obtain from or about you via the Site may be disclosed to any potential or actual third-party acquirers and may be among those assets transferred.
In the past twelve (12) months, we shared for a business purpose the following categories of PI with the following categories of third parties:
– Identifiers: service providers (e.g. printing and data partners)
– Internet or other electronic network activity information: service providers (e.g. printing and data partners)
Site user responsibility: Users are responsible for ensuring the accuracy of PI that is submitted through the Site..
By deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our Site or some of its functionality may be affected. Cookies and similar items are not used by us to automatically retrieve information that can individually identify you from your device without your knowledge.
Global Privacy Control (GPC) signals: Some browsers have a Do Not Track (“DNT”) feature that lets users signal to websites that they do not want to have their online activities tracked. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers. However, we treat Global Privacy Control signals as a means of opting out of the sale or sharing of personal information, or of opting out of the processing of personal information for targeted advertising, as applicable. Please see the sections titled Rights for California, Connecticut, and Colorado Residents and Rights for Nevada Residents below.
Links to Other Websites: We may link to content contained on other websites. We are not responsible for the content of other websites and your use of those websites is subject to the privacy practices of those websites.
3. Information Relating To PI Obtained When Brand Partners Use PDM Services
Categories of PI that we collect about consumers when Brand Partners use PDM Services: We may collect identifiers (such as names, email addresses, physical addresses) and online identifiers (such as cookies and mobile device IDs, and related browsing information).
When Brand Partners use our PDM Services, we may receive PI from three sources:
1. Brand Partners provide PI to PebblePost and are required to give their consumers full notice of such PI collection and provide their consumers with the ability to opt out of the collection or sale of their PI in compliance with all applicable laws.
3. PebblePost receives online and offline information from our service providers to facilitate the Services, and maintains databases of such information. Service providers comply with all applicable laws in providing consumers notice and the ability to opt out of the collection or sale of PI. The provision of Services to Brands may include working with third party service providers to match online data with mailing addresses of Brand Partners’ consumers.
Business purpose for collecting and receiving consumer PI: PebblePost uses PI in order to provide the PDM Services to Brand Partners, including the mailing of direct mail marketing pieces to consumers’ mailing addresses on behalf of Brand Partners.
Categories and purposes for sharing consumers’ PI with third parties: These include but are not limited to: (i) providing PDM Services to Brand Partners to deliver direct mail pieces to consumer mailing address; (ii) investigation of suspected fraud or violations of law or of any party’s rights; and (iii) to our third-party service providers, such as hosting providers and email service providers, but only as they are authorized by us to use such information in connection with their performance of services for us.
4. How PI Is Secured
We maintain reasonable and appropriate physical, technical, and organizational safeguards designed to promote the security of our systems and protect and secure user and Brand Partner consumers’ PI. Those safeguards include: (i) the pseudonymization and encryption of PI where we deem appropriate; (ii) taking steps to ensure PI is backed up and remains available in the event of a security incident; and (iii) periodic testing, assessment, and evaluation of the effectiveness of our safeguards. However, no method of safeguarding information is completely secure. While we use measures designed to protect PI, we cannot guarantee that our safeguards will be effective or sufficient. In addition, you should be aware that Internet data transmission is not always secure, and we cannot warrant that information you transmit utilizing the Site is or will be secure.
We retain PI only for as long as there is a legitimate business need, as well as to the extent we deem necessary to carry out the processing activities described above, including but not limited to compliance with applicable laws, regulations, rules and requests of relevant law enforcement and/or other governmental agencies, and to the extent we reasonably deem necessary to protect our and our partners’ rights, property, or safety, and the rights, property, and safety of our users and other third parties.
5. Your Rights Regarding PI
For users of the PebblePost’s Site: If you have signed up to receive our marketing emails and prefer not to receive marketing information from this Site, follow the “unsubscribe” instructions provided on any marketing e-mail you receive from this Service.
For consumers of Brand Partners: You may exercise your right to opt out of receiving PDM Services from PebblePost here.
- Rights For California, Connecticut, and Colorado Residents
If you are a resident of one of the above states, the California Consumer Privacy Act and its successor legislation (“CCPA”), the Connecticut Data Privacy Act (“CTDPA”), and the Colorado Privacy Act (“CPA”) provide additional rights listed below.
- “Right to Delete”: You may request that we delete any PI we possess about you, subject to certain exceptions as provided under applicable laws. PebblePost will respond or request an extension to respond within 45 days.
- “Right to Know”: You may request that we disclose certain information to you about the PI we collected, used, disclosed, and shared about you in the past 12 months. This includes a request to know any or all of the following: the categories of PI collected about you, the categories of sources from which the PI is collected, the purpose for collecting and selling the PI, the categories of third parties with whom we share the PI and the specific pieces of PI collected about you. PebblePost will respond or request an extension to respond within 45 days.
- “Right to Data Portability”: You have the right to request a copy of PI we have collected and maintained about you in the past 12 months. PebblePost will respond or request an extension to respond within 45 days.
- “Right to Correct”: You have the right to correct inaccurate PI that we have collected and maintained about you. PebblePost will respond or request an extension to respond within 45 days.
- “Do Not Sell or Share My Personal Information”: We share identifiers and internet or other electronic network activity information with service providers (e.g. printing and data partners). To opt out of selling or sharing your data, click here. For California residents, PebblePost will respond or request an extension to respond within 15 days. For Connecticut and Colorado residents, PebblePost will respond within 45 days.
- 2. Rights for Nevada Residents
Nevada law permits our users who are Nevada consumers to request that their PI not be sold (as defined under applicable Nevada law), even if their PI is not currently being sold. You may exercise the right below regarding your PI.
- “Do Not Sell or Share My Personal Information”: We share identifiers and internet or other electronic network activity information with service providers (e.g. printing and data partners). To opt out of sellinig or sharing your data, click here. PebblePost will respond or request an extension to respond within 45 days.
You may exercise your rights above, free of charge, by:
- Complete the form located here
- Send requests to firstname.lastname@example.org
- Mail in your request to us by completing all of the information indicated in the form (linked here) and mailing the form to:
Attn: Privacy Officer
119 West 24th Street, 5th floor
New York, NY 10011
Notice to Consumers of Brand Partners: In the event PebblePost has received your PI from a Brand Partner, you should contact that Brand Partner directly and inquire about your PI or you may request deletion of your PI from PebblePost as set forth above by completing the form above. Note that PebblePost does not “sell” your PI so “Do Not Sell” requests should be made to Brand Partners directly.
Verification & Right to Authorized Agent: We will maintain procedures to verify that you are authorized to make the requests set forth above. You may also designate an authorized agent to make these requests by emailing us at email@example.com or by completing the form indicated above. PebblePost requires verification that such agent has the authority to act on your behalf.
Non-Discrimination: We do not discriminate against you for exercising any of your rights above.
Children: Our Site and Brand Services are not intended for children under 13 years of age. We do not knowingly collect individually identifiable information from children under 13. If you are under 13, do not use or provide any individually identifiable information on this Site. If we learn we have collected or received individually identifiable information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any individually identifiable information from or about a child under 13, please contact us at firstname.lastname@example.org.
International Use: At PebblePost, your PI will be stored and processed in the United States. If you are using the Site from outside the United States, by your use of the Site you acknowledge that we will transfer your data to, and store your PI in, the United States, which may have different data protection rules than in your country, and PI may become accessible as permitted by law in the United States, including to law enforcement and/or national security authorities in the United States.
Data Protection and Cybersecurity
We know our brands take data protection and cybersecurity seriously. We are dedicated to delivering customer-centric, relevant and meaningful direct mail campaigns, in ways to help our Brands stay in line with applicable data protection laws. What is our multi-tiered strategy?
– We only mail to households leveraging U.S. addresses
Additional Compliance Layers
– PebblePost works with our Brands to set up their Tag Managers on their site to exclude PebblePosts’ JS from being called when any known EU visitors visit the Brand site.
– PebblePost advises our Brands to remove any non-US customers from their customer files when passing such data to PebblePost.
– Leveraging our proprietary technology, we circle back and check again. If PebblePost identifies any Brand IP Address or other online identifier as being related to an EU user in a campaign, PebblePost permanently deletes all related data to that user from our system immediately.